Pages

Tuesday, May 5, 2015

Dumping user passwords in plaintext on Windows 8.1 and Server 2012

Couple of days back, I read this very interesting post on the TrustedSec's blog. According to the post, it is possible to dump passwords in plain from Windows 8.1 with a simple Registry hack. All we need to do is:

1. Create the registry key property "UseLogonCredential" at HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest and set its value to 1.

2. Lock the target computer.

3. Run Mimikatz when a user logs in.

Simple, isn't it? We can use PowerShell to easily achieve the above steps.

Registry key property can be created with:

The target computer can be locked with the code found here (Thanks @subTee) :

The computer unlock event can be captured with (Thanks @mattifestation) :

Above could be assembled in a PowerShell script for easy use. Let me give you Invoke-MimikatzWdigestDowngrade.ps1. The name is too long for a single script but I like it :) It uses Invoke-Mimikatz from PowerSploit (thanks to @JoesphBialek and @gentilkiwi for that). Invoke-MimikatzWdigestDowngrade is available here in the github repo of Nishang.

Here is the script in action on a Windows Server 2012:

Without the downgrade, Invoke-Mimikatz on a Server 2012 machine looks like this:

And with Invoke-MimikatzWdigestDowngrade (AFTER the user unlocks the machine):

Bingo! We successfully dumped user password in plain.

Notice that the event trigger started a job and we may need to use Get-Job | Recieve-Job cmdlets to see the output.

Below video shows the script in action:

For access to the remote machine, I used PowerShell shells like Powercat and couple of custom PowerShell shells which I will publish soon.

Unfortunately, in my tests, the script doesn't work from PowerShell remoting and meterpreter. As far as I know, inability to run scripts in user context is the reason for failure in PowerShell remoting. But I am unaware of why it is not working with meterpreter.

This is one of the various examples where PowerShell enahnces a penetration test by combining various simple techniques together. Knowing PowerShell is crucial for better security testing from both red team's and blue team's perspective.

Things to note/Meh!:

This script makes changes to the target by adding a registry key property and the setting is removed after the script execution. Administrative privileges required